[HÃ¥kon Wium Lie:]
> Yes. It's a tradeoff. Slightly more work for font publishers with
> restrictions -- they would have to add this to their .htaccess file:
>
> <FilesMatch "\.(ttf|TTF|otf|OTF|woff|WOFF)$">
> Header set From-Origin same
> </FilesMatch>
That's not work for font publishers, that's work for the guy who
licensed and paid for the font and now needs to monkey around with
his HTTP server config to conform to the license. (And assumes he
has access to .htaccess, which is not always the case e.g. small
business using a hosting service). Never mind the skills to do it
correctly and verify that the font is indeed same-origin after the
change. This also has to be done for every server that may serve
the font for this domain etc.
If, on the other hand, browsers enforce same-origin by default, then
all the author has to do is to put the font in a directory on their
server and reference it.
Can we *at least* agree this is a much lower barrier for authors in
the most general use-case ?
> In return we get a mechanism that the whole web can use, one that also
> solves privacy concerns.
Solving the problem generally is always nice, but as the default
behavior of the general solution conflicts with the smart default
for fonts it does not really improve on the current solution for
our purposes. One possible tweak would be to say that resources
loaded by @font-face should be treated as if From-Origin:same was
set unless the server sets that header.